auth0 4.10.0 → 4.15.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: '088787530ff625f8af83a64dec5b298a0802be569a23161d1619e08d1db1a24b'
-  data.tar.gz: 3631754f52de1a123dac236e82ccab2faf71477b5ee99cb90f5b31b72ce83ca6
+  metadata.gz: 7d5a0bd117bd194aa40c596db3da2cce8f1d73e155e725408fad834453b9c8bc
+  data.tar.gz: bb572e0e64599762214ea303a943dba8f0ac6685c9e2241a6a5381b9a63a8591
 SHA512:
-  metadata.gz: c71ce2a7048f106a8719e6103b66164b54dff4becb3803c6b415f4754c61f4c48e6d77dffd02a790735315ae24f6c589d94a4aab1cd54c8928ff27db7c5c0224
-  data.tar.gz: d48e1b2f8302a758eeef107388fe8670bbcfeca432b9c326ae56bd5b5558340d303963c23f26f76218c948a1454ed51a167da1a59aea9f987915ad960aaa7c5f
+  metadata.gz: 6905e324867b2d9f5127d05a2bbcbefb00f781bb472c572d0f81903aca19602676b22f05b5933d34364758b1cca72fde4b2ee3474c1299203e18a93e528f84e5
+  data.tar.gz: 441bfbbc17cbb148b11a11885f6fe41fd9157a93909b9cbb476aba5fde96419a89eb478d4ead1075d1689068164f4f26d509b0b5c6e8d15c6d6a44f9b1540f3d

data/.env.example

@@ -0,0 +1,2 @@
+DOMAIN=
+CLIENT_ID=

data/CHANGELOG.md

@@ -1,5 +1,60 @@
 # Change Log
 
+## [v4.15.0](https://github.com/auth0/ruby-auth0/tree/v4.15.0) (2020-09-04)
+
+**Added**
+
+- Add log streaming endpoints [\#233](https://github.com/auth0/ruby-auth0/pull/233) ([davidpatrick](https://github.com/davidpatrick))
+
+## [v4.14.0](https://github.com/auth0/ruby-auth0/tree/v4.14.0) (2020-07-20)
+
+[Full Changelog](https://github.com/auth0/ruby-auth0/compare/v4.13.0...v4.14.0)
+
+**Deprecated**
+
+- Deprecate mgmt v1 calls [\#230](https://github.com/auth0/ruby-auth0/pull/230) ([davidpatrick](https://github.com/davidpatrick))
+
+**Removed**
+
+- Remove iat claim value check [\#229](https://github.com/auth0/ruby-auth0/pull/229) ([lbalmaceda](https://github.com/lbalmaceda))
+
+**Fixed**
+
+- Handle missing reset header [\#228](https://github.com/auth0/ruby-auth0/pull/228) ([Widcket](https://github.com/Widcket))
+
+## [v4.13.0](https://github.com/auth0/ruby-auth0/tree/v4.13.0) (2020-06-18)
+
+[Full Changelog](https://github.com/auth0/ruby-auth0/compare/v4.12.0...v4.13.0)
+
+**Added**
+
+- Add prompts endpoints [\#205](https://github.com/auth0/ruby-auth0/pull/205) ([unhappychoice](https://github.com/unhappychoice))
+
+**Fixed**
+
+- Fix missing to_json [\#212](https://github.com/auth0/ruby-auth0/pull/212) ([qortex](https://github.com/qortex))
+
+## [v4.12.0](https://github.com/auth0/ruby-auth0/tree/v4.12.0) (2020-06-10)
+
+[Full Changelog](https://github.com/auth0/ruby-auth0/compare/v4.11.0...v4.12.0)
+
+**Added**
+
+- Improve OIDC compliance [SDK-987] [\#225](https://github.com/auth0/ruby-auth0/pull/225) ([Widcket](https://github.com/Widcket))
+
+**Security**
+
+- Bump activesupport from 6.0.3 to 6.0.3.1 [\#221](https://github.com/auth0/ruby-auth0/pull/221) ([dependabot[bot]](https://github.com/apps/dependabot))
+- Bump actionpack from 6.0.3 to 6.0.3.1 [\#220](https://github.com/auth0/ruby-auth0/pull/220) ([dependabot[bot]](https://github.com/apps/dependabot))
+
+## [v4.11.0](https://github.com/auth0/ruby-auth0/tree/v4.11.0) (2020-05-06)
+
+[Full Changelog](https://github.com/auth0/ruby-auth0/compare/v4.10.0...v4.11.0)
+
+**Added**
+
+- [SDK-1542] Add client secret to Passwordless flow since it is now required [\#217](https://github.com/auth0/ruby-auth0/pull/217) ([stevehobbsdev](https://github.com/stevehobbsdev))
+
 ## [v4.10.0](https://github.com/auth0/ruby-auth0/tree/v4.10.0) (2020-04-23)
 
 [Full Changelog](https://github.com/auth0/ruby-auth0/compare/v4.9.0...v4.10.0)

data/DEPLOYMENT.md

@@ -1,3 +1,15 @@
+# Releasing the gem
+
+## Credentials set up
+
+Make sure you have access in https://rubygems.org/gems/auth0/ and that your Ruby Gems tokens are set in `~/.gem/credentials`.
+
+In order to generate the required changelog entry, define an environment variable `GITHUB_READ_TOKEN` with a Github API token that has READ access to `repo:public_repo`. You can generate a Github API Token [here](https://github.com/settings/tokens/new?description=GitHub%20Changelog%20Generator%20token).
+
+Create a new Github Milestone with the version name prefixed with `v`. i.e. `v4.10.2`. Assign every Issue and Pull Request to be included on this release to that Milestone, and tag them with the `CH:xxxxxx` labels, depending on the type of change fixed or introduced there.
+
+Finally, follow the next steps:
+
 ```bash
 # Install gems for exec commands
 bundle install
@@ -45,3 +57,5 @@ git push origin vX.X.X
 # Rubygems token can be updated in ~/.gem/credentials
 bundle exec gem release
 ```
+
+The steps above were tested with Ruby `v2.5.7`.

data/Gemfile.lock

@@ -1,41 +1,42 @@
 PATH
   remote: .
   specs:
-    auth0 (4.10.0)
+    auth0 (4.15.0)
+      jwt (~> 2.2.0)
       rest-client (~> 2.0.0)
+      zache (~> 0.12.0)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    actionpack (6.0.2.2)
-      actionview (= 6.0.2.2)
-      activesupport (= 6.0.2.2)
+    actionpack (6.0.3.2)
+      actionview (= 6.0.3.2)
+      activesupport (= 6.0.3.2)
       rack (~> 2.0, >= 2.0.8)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actionview (6.0.2.2)
-      activesupport (= 6.0.2.2)
+    actionview (6.0.3.2)
+      activesupport (= 6.0.3.2)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    activesupport (6.0.2.2)
+    activesupport (6.0.3.2)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 0.7, < 2)
       minitest (~> 5.1)
       tzinfo (~> 1.1)
-      zeitwerk (~> 2.2)
+      zeitwerk (~> 2.2, >= 2.2.2)
     addressable (2.7.0)
       public_suffix (>= 2.0.2, < 5.0)
-    ast (2.4.0)
+    ast (2.4.1)
     builder (3.2.4)
-    codecov (0.1.16)
+    codecov (0.2.9)
       json
       simplecov
-      url
-    coderay (1.1.2)
-    concurrent-ruby (1.1.6)
+    coderay (1.1.3)
+    concurrent-ruby (1.1.7)
     coveralls (0.7.1)
       multi_json (~> 1.3)
       rest-client
@@ -45,18 +46,18 @@ GEM
     crack (0.4.3)
       safe_yaml (~> 1.0.0)
     crass (1.0.6)
-    diff-lcs (1.3)
+    diff-lcs (1.4.4)
     docile (1.3.2)
     domain_name (0.5.20190701)
       unf (>= 0.0.5, < 1.0.0)
-    dotenv (2.7.5)
-    dotenv-rails (2.7.5)
-      dotenv (= 2.7.5)
-      railties (>= 3.2, < 6.1)
+    dotenv (2.7.6)
+    dotenv-rails (2.7.6)
+      dotenv (= 2.7.6)
+      railties (>= 3.2)
     erubi (1.9.0)
     faker (1.9.6)
       i18n (>= 0.7)
-    ffi (1.12.2)
+    ffi (1.13.1)
     formatador (0.2.5)
     fuubar (2.5.0)
       rspec-core (~> 3.0)
@@ -79,42 +80,42 @@ GEM
     hashdiff (1.0.1)
     http-cookie (1.0.3)
       domain_name (~> 0.5)
-    i18n (1.8.2)
+    i18n (1.8.5)
       concurrent-ruby (~> 1.0)
-    jaro_winkler (1.5.4)
-    json (2.3.0)
+    json (2.3.1)
+    jwt (2.2.2)
     listen (3.2.1)
       rb-fsevent (~> 0.10, >= 0.10.3)
       rb-inotify (~> 0.9, >= 0.9.10)
-    loofah (2.5.0)
+    loofah (2.7.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
-    lumberjack (1.2.4)
+    lumberjack (1.2.8)
     method_source (0.8.2)
     mime-types (3.3.1)
       mime-types-data (~> 3.2015)
-    mime-types-data (3.2019.1009)
+    mime-types-data (3.2020.0512)
     mini_portile2 (2.4.0)
-    minitest (5.14.0)
-    multi_json (1.14.1)
+    minitest (5.14.2)
+    multi_json (1.15.0)
     nenv (0.3.0)
     netrc (0.11.0)
-    nokogiri (1.10.9)
+    nokogiri (1.10.10)
       mini_portile2 (~> 2.4.0)
     notiffany (0.1.3)
       nenv (~> 0.1)
       shellany (~> 0.0)
-    parallel (1.19.1)
-    parser (2.7.1.1)
-      ast (~> 2.4.0)
+    parallel (1.19.2)
+    parser (2.7.1.4)
+      ast (~> 2.4.1)
     pry (0.10.4)
       coderay (~> 1.1.0)
       method_source (~> 0.8.1)
       slop (~> 3.4)
     pry-nav (0.2.4)
       pry (>= 0.9.10, < 0.11.0)
-    public_suffix (4.0.4)
-    rack (2.1.2)
+    public_suffix (4.0.6)
+    rack (2.1.4)
     rack-test (0.8.3)
       rack (>= 1.0, < 3)
     rails-dom-testing (2.0.3)
@@ -122,17 +123,18 @@ GEM
       nokogiri (>= 1.6)
     rails-html-sanitizer (1.3.0)
       loofah (~> 2.3)
-    railties (6.0.2.2)
-      actionpack (= 6.0.2.2)
-      activesupport (= 6.0.2.2)
+    railties (6.0.3.2)
+      actionpack (= 6.0.3.2)
+      activesupport (= 6.0.3.2)
       method_source
       rake (>= 0.8.7)
       thor (>= 0.20.3, < 2.0)
     rainbow (3.0.0)
     rake (13.0.1)
-    rb-fsevent (0.10.3)
+    rb-fsevent (0.10.4)
     rb-inotify (0.10.1)
       ffi (~> 1.0)
+    regexp_parser (1.7.1)
     rest-client (2.0.2)
       http-cookie (>= 1.0.2, < 2.0)
       mime-types (>= 1.16, < 4.0)
@@ -142,31 +144,34 @@ GEM
       rspec-core (~> 3.9.0)
       rspec-expectations (~> 3.9.0)
       rspec-mocks (~> 3.9.0)
-    rspec-core (3.9.1)
-      rspec-support (~> 3.9.1)
-    rspec-expectations (3.9.1)
+    rspec-core (3.9.2)
+      rspec-support (~> 3.9.3)
+    rspec-expectations (3.9.2)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.9.0)
     rspec-mocks (3.9.1)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.9.0)
-    rspec-support (3.9.2)
-    rubocop (0.82.0)
-      jaro_winkler (~> 1.5.1)
+    rspec-support (3.9.3)
+    rubocop (0.90.0)
       parallel (~> 1.10)
-      parser (>= 2.7.0.1)
+      parser (>= 2.7.1.1)
       rainbow (>= 2.2.2, < 4.0)
+      regexp_parser (>= 1.7)
       rexml
+      rubocop-ast (>= 0.3.0, < 1.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 1.4.0, < 2.0)
-    rubocop-rails (2.5.2)
-      activesupport
+    rubocop-ast (0.3.0)
+      parser (>= 2.7.1.4)
+    rubocop-rails (2.7.1)
+      activesupport (>= 4.2.0)
       rack (>= 1.1)
-      rubocop (>= 0.72.0)
+      rubocop (>= 0.87.0)
     ruby-progressbar (1.10.1)
     safe_yaml (1.0.5)
     shellany (0.0.1)
-    simplecov (0.18.5)
+    simplecov (0.19.0)
       docile (~> 1.1)
       simplecov-html (~> 0.11)
     simplecov-html (0.12.2)
@@ -177,7 +182,7 @@ GEM
     terminal-notifier-guard (1.7.0)
     thor (1.0.1)
     thread_safe (0.3.6)
-    tins (1.24.1)
+    tins (1.25.0)
       sync
     tzinfo (1.2.7)
       thread_safe (~> 0.1)
@@ -185,14 +190,14 @@ GEM
       unf_ext
     unf_ext (0.0.7.7)
     unicode-display_width (1.7.0)
-    url (0.3.2)
-    vcr (5.1.0)
+    vcr (6.0.0)
     webmock (3.8.3)
       addressable (>= 2.3.6)
       crack (>= 0.3.2)
       hashdiff (>= 0.4.0, < 2.0.0)
-    yard (0.9.24)
-    zeitwerk (2.3.0)
+    yard (0.9.25)
+    zache (0.12.0)
+    zeitwerk (2.4.0)
 
 PLATFORMS
   ruby

data/README.md

@@ -12,7 +12,7 @@ Ruby API client for the [Auth0](https://auth0.com) platform.
 
 This gem can be installed directly:
 
-``` bash
+```bash
 $ gem install auth0
 ```
 
@@ -26,7 +26,7 @@ bundle add auth0
 
 You can build the API documentation with the following:
 
-``` bash
+```bash
 bundle exec rake documentation
 ```
 
@@ -65,22 +65,22 @@ class AllUsersController < ApplicationController
     }
     @users = auth0_client.users @params
   end
-	
+
   private
-	
+
   # Setup the Auth0 API connection.
   def auth0_client
     @auth0_client ||= Auth0Client.new(
       client_id: ENV['AUTH0_RUBY_CLIENT_ID'],
       client_secret: ENV['AUTH0_RUBY_CLIENT_SECRET'],
-      # If you pass in a client_secret value, the SDK will automatically try to get a 
-      # Management API token for this application. Make sure your Application can make a 
+      # If you pass in a client_secret value, the SDK will automatically try to get a
+      # Management API token for this application. Make sure your Application can make a
       # Client Credentials grant (Application settings in Auth0 > Advanced > Grant Types
       # tab) and that the Application is authorized for the Management API:
       # https://auth0.com/docs/api-auth/config/using-the-auth0-dashboard
       #
       # Otherwise, you can pass in a Management API token directly for testing or temporary
-      # access using the key below. 
+      # access using the key below.
       # token: ENV['AUTH0_RUBY_API_TOKEN'],
       domain: ENV['AUTH0_RUBY_DOMAIN'],
       api_version: 2,
@@ -107,36 +107,116 @@ This should show the parameters passed to the `users` method and a list of users
 
 In addition to the Management API, this SDK also provides access to [Authentication API](https://auth0.com/docs/api/authentication) endpoints with the `Auth0::API::AuthenticationEndpoints` module. For basic login capability, we suggest using our OmniAuth stategy [detailed here](https://auth0.com/docs/quickstart/webapp/rails/01-login). Other authentication tasks currently supported are:
 
-* Register a new user with a database connection using the `signup` method.
-* Redirect a user to the universal login page for authentication using the `authorization_url` method.
-* Log a user into a highly trusted app with the [Resource Owner Password grant](https://auth0.com/docs/api-auth/tutorials/password-grant) using the `login` method.
-* Exchange an authorization code for an access token on callback using the `obtain_user_tokens` method (see the note on state validation below).
-* Send a change password email to a database connection user using the `change_password` method.
-* Log a user out of Auth0 with the `logout_url` method.
+- Register a new user with a database connection using the `signup` method.
+- Redirect a user to the universal login page for authentication using the `authorization_url` method.
+- Log a user into a highly trusted app with the [Resource Owner Password grant](https://auth0.com/docs/api-auth/tutorials/password-grant) using the `login` method.
+- Exchange an authorization code for an access token on callback using the `obtain_user_tokens` method (see the note on state validation below).
+- Send a change password email to a database connection user using the `change_password` method.
+- Log a user out of Auth0 with the `logout_url` method.
 
-**Important note on state validation**: If you choose to implement a login flow callback yourself, it is important to generate and store a `state` value, pass that value to Auth0 in the `authorization_url` method, and validate it in your callback URL before calling `obtain_user_tokens`. For more information on state validation, [please see our documentation](https://auth0.com/docs/protocols/oauth2/oauth-state). 
+**Important note on state validation**: If you choose to implement a login flow callback yourself, it is important to generate and store a `state` value, pass that value to Auth0 in the `authorization_url` method, and validate it in your callback URL before calling `obtain_user_tokens`. For more information on state validation, [please see our documentation](https://auth0.com/docs/protocols/oauth2/oauth-state).
 
 Please note that this module implements endpoints that might be deprecated for newer tenants. If you have any questions about how and when the endpoints should be used, consult the [documentation](https://auth0.com/docs/api/authentication) or ask in our [Community forums](https://community.auth0.com/tags/wordpress).
 
+## ID Token Validation
+
+An ID token may be present in the credentials received after authentication. This token contains information associated with the user that has just logged in, provided the scope used contained `openid`. You can [read more about ID tokens here](https://auth0.com/docs/tokens/concepts/id-tokens).
+
+Before accessing its contents, you must first validate the ID token to ensure it has not been tampered with and that it is meant for your application to consume. Use the `validate_id_token` method to do so:
+
+```ruby
+begin
+  @auth0_client.validate_id_token 'YOUR_ID_TOKEN'
+rescue Auth0::InvalidIdToken => e
+  # In this case the ID Token contents should not be trusted
+end
+```
+
+The method takes the following optional keyword parameters:
+
+| Parameter     | Type           | Description   | Default value             |
+| ------------- | -------------- | ------------- | ------------------------- |
+| `algorithm`   | `JWTAlgorithm` | The [signing algorithm](https://auth0.com/docs/tokens/concepts/signing-algorithms) used by your Auth0 application.  | `Auth0::Algorithm::RS256` (using the [JWKS URL](https://auth0.com/docs/tokens/concepts/jwks) of your **Auth0 Domain**) |
+| `leeway`      | Integer        | Number of seconds to account for clock skew when validating the `exp`, `iat` and `azp` claims.  | `60`  |
+| `nonce`       | String         | The `nonce` value you sent in the call to `/authorize`, if any.  | `nil`  |
+| `max_age`     | Integer        | The `max_age` value you sent in the call to `/authorize`, if any.  | `nil`  |
+| `issuer`      | String         | By default the `iss` claim will be checked against the URL of your **Auth0 Domain**. Use this parameter to override that. | `nil`  |
+| `audience`    | String         | By default the `aud` claim will be compared to your **Auth0 Client ID**. Use this parameter to override that.  | `nil`  |
+
+You can check the signing algorithm value under **Advanced Settings > OAuth > JsonWebToken Signature Algorithm** in your Auth0 application settings panel. [We recommend](https://auth0.com/docs/tokens/concepts/signing-algorithms#our-recommendation) that you make use of asymmetric signing algorithms like `RS256` instead of symmetric ones like `HS256`.
+
+```ruby
+# HS256
+
+begin
+  @auth0_client.validate_id_token 'YOUR_ID_TOKEN', algorithm: Auth0::Algorithm::HS256.secret('YOUR_SECRET')
+rescue Auth0::InvalidIdToken => e
+  # Handle error
+end
+
+# RS256 with a custom JWKS URL
+
+begin
+  @auth0_client.validate_id_token 'YOUR_ID_TOKEN', algorithm: Auth0::Algorithm::RS256.jwks_url('YOUR_URL')
+rescue Auth0::InvalidIdToken => e
+  # Handle error
+end
+```
+
+## Development
+
+In order to set up the local environment you'd have to have Ruby installed and a few global gems used to run and record the unit tests. A working Ruby version can be taken from the [CI script](/.circleci/config.yml). At the moment of this writting we're using Ruby `2.5.7`.
+
+> It is expected that every Pull Request introducing a fix, change or feature contains enough test coverage to assert the new behavior.
+
+### Running the tests
+
+Install the gems required for this project.
+
+```bash
+bundle install
+```
+
+Finally, run the tests.
+
+```bash
+bundle exec rake test
+```
+
+#### Running only unit tests
+
+You can run only the unit tests and ignore the integration tests by running the following:
+
+```bash
+bundle exec rake spec
+```
+
+#### Running only integration tests
+
+You can run only the unit tests and ignore the integration tests by running the following:
+
+```bash
+bundle exec rake integration
+```
 
 ## More Information
 
-* [Login using OmniAuth](https://auth0.com/docs/quickstart/webapp/rails/01-login)
-* [API authentication in Ruby](https://auth0.com/docs/quickstart/backend/ruby)
-* [API authentication in Rails](https://auth0.com/docs/quickstart/backend/rails)
-* [Managing authentication with Auth0 (blog)](https://auth0.com/blog/rails-5-with-auth0/)
-* [Ruby on Rails workflow with Docker (blog)](https://auth0.com/blog/ruby-on-rails-killer-workflow-with-docker-part-1/)
+- [Login using OmniAuth](https://auth0.com/docs/quickstart/webapp/rails/01-login)
+- [API authentication in Ruby](https://auth0.com/docs/quickstart/backend/ruby)
+- [API authentication in Rails](https://auth0.com/docs/quickstart/backend/rails)
+- [Managing authentication with Auth0 (blog)](https://auth0.com/blog/rails-5-with-auth0/)
+- [Ruby on Rails workflow with Docker (blog)](https://auth0.com/blog/ruby-on-rails-killer-workflow-with-docker-part-1/)
 
 ## What is Auth0?
 
 Auth0 helps you to:
 
-* Add authentication with [multiple authentication sources](https://docs.auth0.com/identityproviders), either social like **Google, Facebook, Microsoft Account, LinkedIn, GitHub, Twitter, Box, Salesforce** among others, or enterprise identity systems like **Windows Azure AD, Google Apps, Active Directory, ADFS or any SAML Identity Provider**.
-* Add authentication through more traditional **[username/password databases](https://docs.auth0.com/mysql-connection-tutorial)**.
-* Add support for **[linking different user accounts](https://docs.auth0.com/link-accounts)** with the same user.
-* Support for generating signed [JSON Web Tokens](https://docs.auth0.com/jwt) to call your APIs and **flow the user identity** securely.
-* Analytics of how, when, and where users are logging in.
-* Pull data from other sources and add it to the user profile with [JavaScript rules](https://docs.auth0.com/rules).
+- Add authentication with [multiple authentication sources](https://docs.auth0.com/identityproviders), either social like **Google, Facebook, Microsoft Account, LinkedIn, GitHub, Twitter, Box, Salesforce** among others, or enterprise identity systems like **Windows Azure AD, Google Apps, Active Directory, ADFS or any SAML Identity Provider**.
+- Add authentication through more traditional **[username/password databases](https://docs.auth0.com/mysql-connection-tutorial)**.
+- Add support for **[linking different user accounts](https://docs.auth0.com/link-accounts)** with the same user.
+- Support for generating signed [JSON Web Tokens](https://docs.auth0.com/jwt) to call your APIs and **flow the user identity** securely.
+- Analytics of how, when, and where users are logging in.
+- Pull data from other sources and add it to the user profile with [JavaScript rules](https://docs.auth0.com/rules).
 
 ## Create a free Auth0 Account